Spammers Strike Back
November 3, 2003 2:10 PM   Subscribe

At first my reaction is that I don't need to worry. I'm pretty serious about never opening attachments period. And my spam filter (POPFile) uses Bayesian rules rather than a published blacklist. But then I start to realize this may be naive. Spammers aren't stupid. In fact they're proving to be pretty crafty. I don't think there is any chance they'll stop at flooding my email, infecting my computer, and installing a server which is selling dick cream from my computer while I'm at work.

What will be next? Will they threaten to report me to the FBI as a terrorist if I don't remove my spam filter? Will they hold my credit report hostage until I agree to but Viagra?

Since they clearly don't care about the law what will be the next step in this escalating war?
posted by y6y6y6 at 2:11 PM on November 3, 2003

What upsets me is that occasionally while cleaning out my junkmail cache I see subject headers that allude to child pornography. It's bad enough that I now know there's a market for farm animals.
posted by konolia at 2:15 PM on November 3, 2003

Virii? Viruses.
posted by TimeFactor at 2:28 PM on November 3, 2003

If we had laws that allow civil suits (or even criminal ones) to be filed against computer hijacking for DDoS attacks, along with consumer advocacy groups willing to hire lawyers to use that law to after spammers who hijack computers for DDoS attacks, I'd definitely chip in a few bucks for the effort.

It's obvious that having ISPs cancel accounts isn't nearly strong enough of a deterrence against the more nefarious forms of spamming. Not to mention the punishment aspect, nevermind deterrence.
posted by DaShiv at 2:28 PM on November 3, 2003

I can't wait till we see some stupid senator who has no idea what s/he's talking about come out and say that it's unfair that spammers should get shut down. This who joe jobbing and all the like is such a joke. But as I heard someone from grokster (actually, formerly of grokster) say on television last night - technology always wins - so who's going to win in this battle?
posted by djspicerack at 2:28 PM on November 3, 2003

absolutely brilliant linkage on 'virii', my hat is off to you.

to the point: alls people hafta do is stop using windows. nothing wrong with lunix or one of the various bsds (e.g. osx). or if they really have to use windows for whatever reason, just stop using ie and outlook/oe. s'all it takes to stop this recent form of abuse.

whether spam itself is criminal, is still badly-defined by law if at all; but denial of service attacks are unquestionably criminal. the funny thing is that the fbi doesn't really seem to care (except when one of their own starts getting phish spams, heh) -- little if anything has been done in response to the recent and ongoing attacks which shut down monkeys.com, hit spews rather hard, and are not hurting spamhaus terribly much thanks some geewhiz new tech.

but at least stiff linefeed has mentioned that spamhaus does plan to do some heavy malleting of the attackers in a few weeks' time.

dj: from an arms-vs-armor perspective, arms always win in the end. kinda depressing in this case. and I don't doubt that there are senators out there Powered By DMA™ and paid for by mainsleaze, who will argue against any non-toothless anti-spam legislature.
posted by dorian at 2:33 PM on November 3, 2003

headers that allude to child pornography. It's bad enough that I now know there's a market for farm animals.

+=+=+=+=+=+=+ FARM LOLITA ACTION! +=+=+=+=+=+=+
ONLY THE FRESHEST CHOICEST CALVES FOR YOU!
MARY HAD A LITTLE LAMB. WHAT ARE *YOU* WAITING FOR?
TRY THE VEAL!!
posted by quonsar at 3:07 PM on November 3, 2003

FWIW, the Spamhaus DNSBL (DNS Blackhole List) seems to be working, as I use them on my mail server.... The web server is currently erratically available from my location, though. Looks like the DDOS tool they were bragging about has issues...
posted by Samizdata at 3:33 PM on November 3, 2003

Oh, yeah, for a server with 54 users, I seem to be averaging anywhere between 15 to 25 percent of total traffic as spam. And that's the detected stuff (although none of my users seem to complain)...
posted by Samizdata at 3:35 PM on November 3, 2003

"to the point: alls people hafta do is stop using windows. nothing wrong with lunix or one of the various bsds (e.g. osx)."

Bullshit. I use windows and Outlook, no virus scanner, I've done so for five years, and I've never gotten a virus. One of my users at work manages to get herself infected annually, despite the firewall, despite using Eudora, and despite a daily-updated copy of Norton AV. Even for the more notorious bugs that exploit the preview pane, one must actually use the preview pane for them to be of any use.

Viruses spreading has always been and always will be an user issue, and if the majority of people switched to linux, then suddenly we'd see a whole lot of linux viruses and a whole lot of people getting them in stupid ways.
posted by kavasa at 3:47 PM on November 3, 2003

Agreed on the Linux/Windows issue. The OS with the market share gets the lion's share of abuse...
posted by Samizdata at 3:54 PM on November 3, 2003

*checks to make sure the copy of BackOrifice I put on kavasa's machine 3 years ago is still operational*

Excellent!
posted by willnot at 4:11 PM on November 3, 2003

As noted in the article, Graham Cluley of Sophos thinks it's almost "too obvious" to trace this new virus to spammers. What puzzles me is that Spamhaus, who do think spammers are behind it, also think the authors wrote the variant W32.Mimail.C, which "targets websites with the phrase 'darkprofits' in their URL, including darkprofits.net and darkprofits.com. Neither site was accessible at 1800 GMT on Monday. The motive this DDOS is not known." Indeed. Why would spammers target darkprofits.net -- except perhaps to disable a competitor? I've seen tons of pretty evil spam from darkprofits.
posted by macrone at 4:23 PM on November 3, 2003

alls people hafta do is stop using windows
The reason Windows is targeted is that the majority of the world's computers use it. Should you by some remote chance be successful in persuading large numbers of people to change to *nix machines, they would very quickly find themselves the target of viruses as well. To say that all you need to do is not use Outlook/IE is a very simplistic way of looking at the problem. No matter what your e-mail client is, opening the attachment will activate the virus. One way of minimizing the chances of being infected is to disable the preview pane and instead use "auto-preview" so that you can make an assessment of the contents of the message in plain-text form before opening it and thereby executing any malicious code contained in the HTML. Unfortunately, there is no simple solution to the problem of spam and related viruses, particularly given that spam is still legal in many countries and it is not practical to pursue spammers across international borders in any case.
posted by dg at 4:23 PM on November 3, 2003

macrone: Those spams were apparently a joe-job. The google cache indicates it's really just a bulletin board exposing Internet scams and Internet privacy issues.
posted by cmonkey at 4:46 PM on November 3, 2003

I use windows and Outlook, no virus scanner, I've done so for five years, and I've never gotten a virus.

er, so you're smart. I used to use windows too, and I never got a worm or trojan or anything, and I'd put it down to my own behavior rather than that of the os. web browser executing code at a system level?! scares the hell out of me, so I used browsers that were not capable of such ridiculousness.

One of my users at work manages to get herself infected annually, despite the firewall, despite using Eudora, and despite a daily-updated copy of Norton AV.

doesn't this tell you something? billy-boy recently said that it's her own damned fault, and while he might be right, he should also be trying to do something about the os that he sold her that allows it to happen in the first place.

the argument about % market share does not hold. user privileges in linux, bsd, osx, etc. are not defaulted to root/administrator as they are in windows (excepting abominations such as lindows). web browsers and mail clients in linux, bsd, osx, etc. are not defaulted (or even able, jeez) to execute code at a system level as windows is, and even if they were, the lack of user privileges would prevent this.

the success of the majority of these abuses is due to social engineering, which windows does not prevent by default, and just about every other current os out there does. there are still exploits out there which require no action on the part of the user other than simply browsing to a website with ie or looking at a mail in the preview pane -- yes, the windows web/mail client can be set to prevent these things, but does it by default? no.

as I said, running an alternative such as opera or mojira as web/mail client would eliminate alot of these. would users still save-n-execute attachments? heh, probably. would the simple act of browsing a website be able to hose your machine? no. would the spammers find new ways in? of course they will, why else would I despair of the arms-vs-armor race? but that sure as hell doesn't mean the door should be left open for them in the first place.

hey, I'd love to see masses of people switch away from windows and try to prove me wrong... beos, os2, newtonos, there are tons of things out there infinitely more secure than windows, and it's surely not simply due to "obscurity".
posted by dorian at 4:59 PM on November 3, 2003

cmonkey: Thanks for the clarity. I never looked closely enough at the forged mail to get the joke.
posted by macrone at 5:32 PM on November 3, 2003

user privileges in linux, bsd, osx, etc. are not defaulted to root/administrator as they are in windows
Since when did (most) viruses need administrator access to run? If they did, most of the corporate world would be immune from them.

the argument about % market share does not hold
There is no doubt that operating systems other than Windows are targeted less by viruses, but that is precisely because of the market share. Imagine for a moment that you are a bottom-feeding scum-sucking dirtbag who decides to write a virus. Do you write one for an operating system that very few people in the real world (geekdom is, in this context, an insignificantly small portion of the world) use or do you write it for the operating system that most people use (either by choice or because that is what they are given at work)? If the day ever comes that *nix is the dominant operating system worldwide, guess which one will be copping all the viruses? If that ever comes to pass, it will be interesting to see how secure *nix really is. I suspect that your non-root access will not save you any more than giving users in a corporate Windows environment restricted access saves them now.

Getting somewhat back on topic, though, the fight against spammers is just as unwinnable as any fight against evil is on the modern world. While the spammers can and will resort to any method available to them to perpetrate their dirty deeds, those fighting them have to "fight the good fight" and stick to the rules. If the forces fighting against spammers were able to ignore laws and take the battle to the same level, there may be some hope. Otherwise, it is a cause with no hope.
posted by dg at 5:36 PM on November 3, 2003

Since when did (most) viruses need administrator access to run? If they did, most of the corporate world would be immune from them.

good point -- even without administrator access, windows is susceptible to malware corrupting and abusing things at a system level. cracking brilliant design.

as someone who has designed operating systems, I like to believe, in my own little arrogance, that I should be right about the ms issue; but I am perfectly happy to say: ok, let's just disagree philosophically and get back on topic. because if there's anything I hate more than ms, it's spam (and don't even get me started on spam from ms, heh).

Otherwise, it is a cause with no hope.

possibly, but I'm not ready to believe that just yet. and if truly there is no hope, there are already protocols in place for fighting fire with fire.

one thing that has to be done is get more people active with the whole boulder pledge notion. how many people do you know that have been spammed by, say, amazon? lots. how many of those people still buy stuff from amazon? lots. how many of those people would say that they hate spam? lots. we need to discourage companies from profiting from spam; we need to get people to realize that it is 0% about content and 100% about consent.

in addition, use of dnsbls such as spamhaus, spews, spamcop, ahbl, orbl, sorbs, etc. is thousands of times more important than end-user filtering. I mean, I love the concept of naive-bayes-type filtering 'cos it keeps my inbox so sparkly clean, but really, it has little effect in actually combatting spam. (then again, I'm not someone who would buy some spamvertised product, and I try to do a thorough researching and complaining job rather than simply deleting filtered spam). we and our admins and our isps need to discourage other admins and isps from profiting from spam.
</rant>
posted by dorian at 6:30 PM on November 3, 2003

Those of you touting the market share = virii argument are in a serious state of denial. MS internet products are full of holes. Period. Stick with MS and learn to deal with spam, virii, spyware, etc. and quit complaining to those of us who got smart a long time ago and abondened MS products.

If using 93 octane gas caused my GM automobile and others to sputter and stall would I complain to the refinery that produced the gas if all other automakers cars ran just fine on it? Common sense says no. I would eventually abandon the automobile (or find someone with no common sense but tons of brand loyalty to buy it) and buy an automobile that did not have the inherent gas problem. In my case I'd buy a Porsche (Mac) or a Honda (Linux) and get on with my life. :)
posted by photoslob at 7:39 PM on November 3, 2003

funny you mention honda (courtesy fark, of all places). but at least they're being responsible for their fsckup rather than blaming the consumer.

as a former motorhead, I do have to nitpick that 93 octane is probably bad (higher octane == harder to burn) for the majority of passenger cars (don't explicitly require it), and would most certainly cause sputtering and stalling. only a higher-compression engine that says so in the manual or on the fuel gauge, should have high-octane fuel (e.g. porsche or specific hondas...). 87/89/whatever burns cleaner and more efficient for the rest. then again, it's the driver's damned fault for choosing the wrong gas in that case (although compounded by the misleading marketing of oil companies....oooh, ok, now I see where you were going!)

(and, holy crap, slob, I like your portraits!)
posted by dorian at 8:50 PM on November 3, 2003

I find it somewhat amusing that people like photoslob are mocking ms so much for the wholes in the operating system. Ok, yeah, it's got a few holes. Guess what? Linux hasn't exactly been free of holes either. And quite frankly, linux is compromised pretty frequently. Why? Because there's a lot of people out there running linux that don't stay up to date on updates. Same reason windows machines get hacked. Amazing how that works. Meanwhile, freebsd, which quite often will have the same holes as linux (because it's frequently in the same software), tends not to be compromised quite as much, because it just isn't targetted as much. It's a very simple lesson. Any operating system not properly maintained is a security nightmare waiting to happen.

Oh, and 93 octane? Don't put it in a passat's 1.8 turbo engine here in michigan (which, I'll note, recommends premium fuel). Turns out the formulation of the fuel here in michigan burns hotter, and it's not good for the turbo. Dealership recommends using at best mid grade, and regular during the winter.
posted by piper28 at 9:24 PM on November 3, 2003

OK, dorian - I agree to disagree. About the MS/*nix thing anyway - I think you are wrong about the fuel octane thing, though. I have used left-over aviation fuel (100 octane) in several of my cars (as well as various other exotic race fuels) for many years with no ill-effects. In fact, I can notice the improvement in performance and smoothness when using higher-octane fuels. Perhaps there are different additives in the fuel you buy in the US, which could have some effect. I know that the diesel you buy there is significantly different to that which we buy here.
posted by dg at 9:48 PM on November 3, 2003

(and, holy crap, slob, I like your portraits!)

Seconded.
posted by dejah420 at 9:52 PM on November 3, 2003

Thirded.
posted by dg at 10:13 PM on November 3, 2003

[car pedant]
Higher octane is merely the resistance to auto-ignition (knock). For non-performance vehicles, the way the motor is tuned is such that high-octane gas is not required. In older high-perf cars, putting regular gas in would make the car ping at high load (or run-on after you remove the ignition key) because the fuel-air mixture is igniting before the spark plug fires. Higher octane, with its resistance to auto-ignition, won't do this. For example, in my '70 Impala, if I don't put in primo gas, it knocks like a bitch up every hill once the engine is warm (the speedo is unhooked, so that's how I know when my dad "borrows" the car - he's cheap!) In newer high-perf cars (and even econoboxes, now) there are knock sensors, which, if knock is detected, automatically retard the timing until the knock goes away.

Unfortunately, retarding the timing takes the engine out of its ideal state of tune, so power goes down. In performance vehicles, since there's more power to be had, this effect is more pronounced in general. If a non-performance car (or one that only requests regular gas in the owner's manual) shows marked improvement with the introduction of higher-grade gas, I would suspect that either the engine is in dire need of an intake cleaning (gunk makes for higher likelihood of auto-ignition), that the timing is messed up, or that an incorrect heat range of spark plugs were installed.

That being said, I occasionally put mid-grade in my CRX, change the timing, and drive the shit out of it. ;)
[/pedant]
posted by notsnot at 11:14 PM on November 3, 2003

since notsnot said it better than I could about the gasoline, I will just say this:

linux == kernel; bsd == kernel
os?
os == gnu, mostly, and for damned sure.
you made baby-rms cry. and spin in his not-grave. and such.

ghod, I love metafilter. weren't we arguing^Wtalking about spam?! I need more beer...
posted by dorian at 11:41 PM on November 3, 2003

If the day ever comes that *nix is the dominant operating system worldwide, guess which one will be copping all the viruses?

Windows.

Architecture really does matter. No matter how clever a scriptkiddie you might be, you just can't make up a virus transmission vector from scratch. All you can do is exploit existing architectural weaknesses. Years ago, there were a fair number of Mac viruses - nothing like the "new virus every week" sort of thing we see now, but it was a big enough deal that Mac users bought virus protection software and scanned all their floppy disks. Why? Because this was before the Internet, and people shared data by trading floppy disks; also, the Mac OS had basically no local security of any kind (any program could write to any memory and alter any file). So people wrote clever little programs that patched themselves into some application, took a ride on a floppy disk, and when launched on a new machine, took advantage of the lax security and patched themselves into more applications. There were at least a dozen variants on this idea. They all went extinct when people stopped swapping floppy disks around, and since then viruses are rarely a problem on the Mac OS. Now, until the release of Mac OS X, there still wasn't much local security - but there was no more transmission vector, no way to secretly get code from one place to another and get it activated so it can reproduce itself.

Over in Windows-land, Microsoft has been busily linking all their software together with COM and other technologies, and have embedded a convenient and easy-to-use scripting system. Viruses proliferate on Windows because there's an easy transmission vector: propagate by sending email via Outlook, and execute code on the target machine using VBScript or one of the many filename extension/mimetype confusion bugs in IE.

Your assertion that it's all about market share implies that you believe Mac OS X and Unix have architectural problems that are just as tempting as the Outlook/Explorer/VBScript combination on Windows, and that the only reason they aren't used as virus vectors too is that there aren't enough machines to make it worthwhile. That's an understandable belief, but it's wrong. There were enough Macs to make virus writing worthwhile fifteen years ago when there were less than a million of them altogether. Unix machines - well, people have been hacking into them, and securing them against hacks, for longer than Mac OS and Windows have existed. (Here's one relevant case.) If there were security flaws which allowed this kind of automatic code-propagation, they would be well documented by now and people would take advantage of them. People write viruses because it is a challenging and enjoyable technical exercise. Writing a virus for a supposedly virus-proof operating system would be a big challenge and you can bet that people would do it just for the thrill and (pseudonymous) fame of having accomplished it. Of course most of the people who actually release viruses are scriptkiddies playing with knockoff code they don't really understand, but that doesn't matter; there are plenty of people out there who would try it just to see if they could pull it off.
posted by Mars Saxman at 10:40 AM on November 4, 2003

Mars, I'm saying that if unix were more popular, there'd be mom an' pops spending time logged in as root, and when they got an email with a friend's name in the "From:" line with a binary attached, they'd run it. There's not a whole lot you can do about that architecturally. When you get right down to it, an OS has to allow an user to do stupid things, if in a non-obvious way, because some users and administrators need the capability to do stupid things to instead do useful things. This, of course, means that bad men can do malicious things, and thus I will continue to hold that if Debbie and people like Debbie used Linux, she'd still get virii.

Could MS do shit to fix some security holes? Sure, and I still don't use IE until I absolutely have to (website renders improperly in everything else). It's certainly less secure than the *nixes. Nevertheless, the scope of problems viruses are causing these days are due to people with severe cases of temporary or permanent dumb, I think.
posted by kavasa at 1:58 PM on November 4, 2003

Good explanation, Mars Saxman. You note that "most of the people who actually release viruses are scriptkiddies playing with knockoff code they don't really understand" and this, in my oh-so-humble opinion, is where most of the viruses come from in the first place. A more secure operating system would keep out the script kiddies and leave the playing field open only to those who take writing viruses seriously and have the tech skills and deep understanding of operating systems it takes to properly exploit security holes. If it were only these people writing viruses, we would not have nearly the same problem that we do now, simply because of the drastically reduced numbers of viruses that would be propagating. Things would then go back to being something of a cat and mouse game between the hackers and the OS/anti-virus suppliers, mostly unheard of by the great unwashed.

As kavasa says, MS could certainly do some things to plug up holes, but this would be at the expense of their customers who want to be able to jump in and change every possible system setting on a whim. It is easy to take the high road and impose high levels of security on users, but when those users are your customers, you give them what they want (whether they should have it or not) or you go broke.

As I see it, the real problem is not with the OS or browser or e-mail client, it is with that scourge of support personnel everywhere - the user. If you practice safe computing by not opening files you are not certain are safe, you can avoid 99% of viruses. In my experience from supporting a couple of (small) networks, viruses can usually be traced back to some fuckwit who opened an attachment because the sender's name was someone they knew. If we could eliminate the users, almost all IT support issues would be resolved immediately ;-)

notsnot, you are correct about octane rating, but most modern cars will adjust the timing to suit whatever the current engine conditions are, including advancing the timing to the most efficient point - this point is moved further up the scale by the use of higher octane fuel. This allows the engine to realise the higher potential energy of the fuel, generating more horsepower. When you talk about many of the premium fuels available today, there is a lot more to them than a higher octane rating, also. Most of them have other additives to help release the potential energy of the fuel without harming the engine. I have tested 100 octane avgas against 100 octane high-performance fuel and there is a measurable difference in performance.
posted by dg at 2:58 PM on November 4, 2003